Guidelines for fighting online fraud

Online fraud causes more problems than just user and business financial losses directly related to a specific incident. One long term effect is loss in online business due to user fears of identity theft and exploitation.

Carol Baroudi of the Aberdeen Group wrote an excellent article for TechNewsWorld in which she provides guidelines that help control online fraud and bolster customer confidence. They are based on successful anti-fraud controls implemented by what Baroudi describes as "Best-in-Class" performing online organizations.

The article is is a summary of research conducted by the Aberdeen Group (see my post about how to integrate these types of reports into your planning process). The recommendations derived from the research are based on Aberdeenâ€™s PACE (Pressures, Actions, Capabilities, and Enablers) framework and detailed in the final findings document. Figure 1 is a summary of these findings.

Figure 1

The following are Baroudi's Best-in-class guidelines with some of my comments (italicized) thrown in.

Implement initial authentication of account holders by deploying an authentication solution.
Under no circumstances should an organization allow the creation of an account if it has not validated the identity of the account-holder-to-be. Using verified information already on file is one way to verify identity. Another method is sending a PIN or other identifier to a verified home or email address. Regardless of the approach, assuming the person is who he says he is without proof is negligent business behavior.

Implement data masking, compliant with the Payment Card Industry Data Security Standard.
Data masking is a good way to protect information that must be collected. However, prior to masking data it's a good idea to ask whether a business process actually require the collection of each piece of information and whether it must be retained. If retention is required--even temporarily--how long is a reasonable retention period? This goes to the premise that you should collect only enough information to complete a transaction. Once the transaction is complete, data elements such as credit card numbers are often no longer required and should be deleted.

Measure the number of incidents of fraud and the financial loss associated with each incident. Measure how many user accounts are active, how many transactions each generates, and the value of those transactions.
Anomaly detection is always a good security control, whether for online or local transactions. Questionable deviations from a baseline should trigger a formal documented response.

Provide phone support for online transactions. Investing in phone support can help bolster account holder confidence and help deter fraud.

Use an automated antifraud directory to eliminate transactions with entities already identified as fraudulent by other account providers.

Move toward more real-time fraud analysis and the integration of elements such as geolocation and device authentication.
Many financial institutions have implemented these types of controls. For example, when I connect to my bank via the Internet, the bank checks to see if the device I'm using is authorized. If not, I can add it to my authorized device list after verifying my identity. Although not perfect, this is an easy-to-implement safeguard that can act as a first line of defense to control access to existing accounts.

Provide account holders with choices of additional security such as hardware tokens. It is important to offer solutions appropriate to the expectations and competencies of the account holder.
If an organization provides tokens, it must also provide an alternative authentication/identification method. For example, I have a Verisign provided token to access my PayPal account. However, if I don't have my token, PayPal allows me to use information it knows about me to authenticate. However, the next time I login I need my token. In other words, as long as I logged in using my token during my last visit to PayPal, I can still access my account if I've forgotten my token. PayPal's safeguard here is that I cannot use tokenless authentication more than once without a token login. This is a good example of how to prevent customer frustration with token-based authentication.

Reward account holders for the adoption of stronger security mechanisms. This makes the transactions safer and actively engages account holders in the protection of their account and in turn contributes to building account holder confidence.

Disclaimer: Blog contents express the viewpoints of their independent authors and
are not reviewed for correctness or accuracy by
Toolbox for IT. Any opinions, comments, solutions or other commentary
expressed by blog authors are not endorsed or recommended by
Toolbox for IT
or any vendor. If you feel a blog entry is inappropriate,
click here to notify
Toolbox for IT.